From d87c1bdc896cc0883ee5fff807f4c232b02f7e84 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Sat, 8 Jul 2023 16:00:11 +0200 Subject: [PATCH] Update to 2023-07-08 16:00 --- roles/consul/defaults/main.yml | 17 ---- roles/consul/tasks/cleanup.yml | 2 + roles/consul/tasks/conf.yml | 39 ++------ roles/consul/tasks/directories.yml | 6 -- roles/consul/tasks/facts.yml | 2 +- roles/consul/tasks/install.yml | 13 +-- roles/consul/tasks/services.yml | 7 -- roles/consul/templates/agent_token.tpl.j2 | 3 - roles/consul/templates/consul.service.j2 | 6 +- roles/consul/templates/consul.sh.j2 | 19 ---- roles/consul/templates/vault/agent.hcl.j2 | 44 --------- roles/consul/templates/vault/agent.service.j2 | 34 ------- .../templates/vault/agent_bundle.pem.tpl.j2 | 17 ---- .../consul/templates/vault/agent_token.tpl.j2 | 3 - .../templates/vault/cli_bundle.pem.tpl.j2 | 7 -- roles/consul_bin/tasks/install.yml | 6 +- roles/includes/create_selfsigned_cert.yml | 2 +- roles/matrix_synapse/defaults/main.yml | 2 +- roles/nomad/defaults/main.yml | 34 +------ roles/nomad/handlers/main.yml | 8 +- roles/nomad/meta/main.yml | 2 +- roles/nomad/tasks/archive_post.yml | 14 --- roles/nomad/tasks/archive_pre.yml | 29 ------ roles/nomad/tasks/cleanup.yml | 3 +- roles/nomad/tasks/conf.yml | 88 ++++++++++++------ roles/nomad/tasks/directories.yml | 15 ++- roles/nomad/tasks/facts.yml | 34 +------ roles/nomad/tasks/install.yml | 79 ++++------------ roles/nomad/tasks/main.yml | 8 -- roles/nomad/tasks/services.yml | 13 ++- roles/nomad/templates/nomad.service.j2 | 6 +- roles/nomad/templates/pre-backup.j2 | 2 - roles/nomad/templates/profile.sh.j2 | 2 - roles/nomad_bin/defaults/main.yml | 9 ++ roles/nomad_bin/tasks/facts.yml | 36 ++++++++ roles/nomad_bin/tasks/install.yml | 46 ++++++++++ roles/nomad_bin/tasks/main.yml | 7 ++ roles/nomad_bin/vars/RedHat.yml | 8 ++ roles/sftpgo/defaults/main.yml | 4 +- roles/vault_agent/defaults/main/consul.yml | 1 + roles/vault_agent/defaults/main/main.yml | 92 +++++++++++++++++++ roles/vault_agent/defaults/main/nomad.yml | 1 + roles/vault_agent/handlers/main.yml | 4 + roles/vault_agent/meta/main.yml | 4 + roles/vault_agent/tasks/conf.yml | 33 +++++++ roles/vault_agent/tasks/directories.yml | 18 ++++ roles/vault_agent/tasks/install.yml | 47 ++++++++++ roles/vault_agent/tasks/main.yml | 13 +++ roles/vault_agent/tasks/services.yml | 5 + .../templates/consul/agent_bundle.pem.tpl.j2 | 13 +++ .../templates/consul/consul.hcl.j2 | 12 +++ .../templates/nomad/agent_bundle.pem.tpl.j2 | 10 ++ .../templates/nomad/cli_bundle.pem.tpl.j2 | 6 ++ .../templates/nomad/consul.env.tpl.j2 | 3 + .../templates/nomad/consul_bundle.pem.tpl.j2 | 10 ++ .../vault_agent/templates/nomad/nomad.hcl.j2 | 69 ++++++++++++++ .../templates/nomad/update_nomad_cert.sh.j2 | 20 ++++ .../templates/nomad/vault.env.tpl.j2 | 3 + .../vault_agent/templates/vault-agent.hcl.j2 | 58 ++++++++++++ .../templates/vault-agent.service.j2 | 49 ++++++++++ 60 files changed, 708 insertions(+), 439 deletions(-) delete mode 100644 roles/consul/templates/agent_token.tpl.j2 delete mode 100644 roles/consul/templates/consul.sh.j2 delete mode 100644 roles/consul/templates/vault/agent.hcl.j2 delete mode 100644 roles/consul/templates/vault/agent.service.j2 delete mode 100644 roles/consul/templates/vault/agent_bundle.pem.tpl.j2 delete mode 100644 roles/consul/templates/vault/agent_token.tpl.j2 delete mode 100644 roles/consul/templates/vault/cli_bundle.pem.tpl.j2 delete mode 100644 roles/nomad/tasks/archive_post.yml delete mode 100644 roles/nomad/tasks/archive_pre.yml create mode 100644 roles/nomad_bin/defaults/main.yml create mode 100644 roles/nomad_bin/tasks/facts.yml create mode 100644 roles/nomad_bin/tasks/install.yml create mode 100644 roles/nomad_bin/tasks/main.yml create mode 100644 roles/nomad_bin/vars/RedHat.yml create mode 120000 roles/vault_agent/defaults/main/consul.yml create mode 100644 roles/vault_agent/defaults/main/main.yml create mode 120000 roles/vault_agent/defaults/main/nomad.yml create mode 100644 roles/vault_agent/handlers/main.yml create mode 100644 roles/vault_agent/meta/main.yml create mode 100644 roles/vault_agent/tasks/conf.yml create mode 100644 roles/vault_agent/tasks/directories.yml create mode 100644 roles/vault_agent/tasks/install.yml create mode 100644 roles/vault_agent/tasks/main.yml create mode 100644 roles/vault_agent/tasks/services.yml create mode 100644 roles/vault_agent/templates/consul/agent_bundle.pem.tpl.j2 create mode 100644 roles/vault_agent/templates/consul/consul.hcl.j2 create mode 100644 roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2 create mode 100644 roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2 create mode 100644 roles/vault_agent/templates/nomad/consul.env.tpl.j2 create mode 100644 roles/vault_agent/templates/nomad/consul_bundle.pem.tpl.j2 create mode 100644 roles/vault_agent/templates/nomad/nomad.hcl.j2 create mode 100644 roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 create mode 100644 roles/vault_agent/templates/nomad/vault.env.tpl.j2 create mode 100644 roles/vault_agent/templates/vault-agent.hcl.j2 create mode 100644 roles/vault_agent/templates/vault-agent.service.j2 diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml index 867677d..a1b1f00 100644 --- a/roles/consul/defaults/main.yml +++ b/roles/consul/defaults/main.yml @@ -123,23 +123,6 @@ consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | # ui_config: # enabled: False -consul_base_vault_agent: - # vault_address: https://active.vault.service.consul:8200 - # - ## Only one of approle or token should be used - # auth: - # approle: - # role_id: XXXX - # secret_id: YYYY - # token: XXXXXXX - pki: - enabled: False - path: pki/consul - role: consul-{{ consul_conf.server | ternary('server', 'client') }} -consul_extra_vault_agent: {} -consul_host_vault_agent: {} -consul_vault_agent: "{{ consul_base_vault_agent | combine(consul_extra_vault_agent, recursive=True) | combine(consul_host_vault_agent, recursive=True) }}" - # List of services exposed by consul, the ports they use, and the list of IP # for which the service is accessible at the firewall level (if iptables_manage == True) consul_base_services: diff --git a/roles/consul/tasks/cleanup.yml b/roles/consul/tasks/cleanup.yml index 1b69085..5ed9556 100644 --- a/roles/consul/tasks/cleanup.yml +++ b/roles/consul/tasks/cleanup.yml @@ -6,4 +6,6 @@ - "{{ consul_root_dir }}/archives" - /etc/systemd/system/consul-template-consul.service - "{{ consul_root_dir }}/consul-template" + - "{{ consul_root_dir }}/vault" + - "{{ consul_root_dir }}/bin" tags: consul diff --git a/roles/consul/tasks/conf.yml b/roles/consul/tasks/conf.yml index ee0eb06..5e2800f 100644 --- a/roles/consul/tasks/conf.yml +++ b/roles/consul/tasks/conf.yml @@ -7,9 +7,7 @@ vars: cert_path: "{{ consul_conf.tls.defaults.cert_file }}" cert_key_path: "{{ consul_conf.tls.defaults.key_file }}" - cert_key_user: "{{ consul_user }}" - cert_key_group: "{{ consul_user }}" - cert_key_mode: 660 + cert_key_mode: omit when: consul_conf.tls.enabled tags: consul @@ -97,38 +95,15 @@ loop: "{{ consul_backup_configs.stdout_lines }}" tags: consul -- name: Deploy vault agent configuration - template: src=vault/agent.hcl.j2 dest={{ consul_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ consul_user }} - notify: restart consul-vault-agent - when: consul_vault_agent.pki.enabled - tags: consul - -- name: Deploy agent cert bundle template - template: src=vault/agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root - notify: restart consul-vault-agent - when: consul_vault_agent.pki.enabled - tags: consul - -- when: - - consul_vault_agent.auth is defined - - consul_vault_agent.auth.approle is defined - - consul_vault_agent.auth.approle.role_id is defined - - consul_vault_agent.auth.approle.secret_id is defined - name: Setup AppRole auth - block: - - copy: content={{ consul_vault_agent.auth.approle.role_id }} dest={{ consul_root_dir }}/vault/role_id owner=root group={{ consul_user }} mode=640 - - copy: content={{ consul_vault_agent.auth.approle.secret_id }} dest={{ consul_root_dir }}/vault/secret_id owner=root group={{ consul_user }} mode=640 - tags: consul - - name: Set ACL on the TLS dir shell: | setfacl -R -b -k {{ consul_root_dir }}/tls - chown -R {{ consul_user }}:{{ consul_user }} {{ consul_root_dir }}/tls - chmod 775 {{ consul_root_dir }}/tls - chmod 660 {{ consul_root_dir }}/tls/* - setfacl -m u:{{ consul_user }}:rwx {{ consul_root_dir }}/tls - setfacl -m d:u:{{ consul_user }}:rw {{ consul_root_dir }}/tls - setfacl -m u:{{ consul_user }}:rw {{ consul_root_dir }}/tls/* + chown -R :{{ consul_user }} {{ consul_root_dir }}/tls + chmod 770 {{ consul_root_dir }}/tls + chmod 640 {{ consul_root_dir }}/tls/* + setfacl -m u:{{ consul_user }}:rx {{ consul_root_dir }}/tls + setfacl -m d:u:{{ consul_user }}:r {{ consul_root_dir }}/tls + setfacl -m u:{{ consul_user }}:r {{ consul_root_dir }}/tls/* {% if consul_admin_groups | length > 0 %} setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls diff --git a/roles/consul/tasks/directories.yml b/roles/consul/tasks/directories.yml index 3d03aa2..836693a 100644 --- a/roles/consul/tasks/directories.yml +++ b/roles/consul/tasks/directories.yml @@ -28,10 +28,4 @@ group: "{{ consul_user }}" mode: 750 - dir: tls - - dir: vault - mode: 750 - owner: root - group: "{{ consul_user }}" - - dir: vault/templates - - dir: bin tags: consul diff --git a/roles/consul/tasks/facts.yml b/roles/consul/tasks/facts.yml index 4b5c615..263f91a 100644 --- a/roles/consul/tasks/facts.yml +++ b/roles/consul/tasks/facts.yml @@ -9,6 +9,6 @@ tags: consul - name: Check if the consul-template service still exists - stat: path=/etc/systemd/system/consul-template + stat: path=/etc/systemd/system/consul-template-consul register: consul_ct_service tags: consul diff --git a/roles/consul/tasks/install.yml b/roles/consul/tasks/install.yml index 152a36b..80679c8 100644 --- a/roles/consul/tasks/install.yml +++ b/roles/consul/tasks/install.yml @@ -6,11 +6,6 @@ notify: restart consul tags: consul -- name: Deploy consul service wrapper - template: src=consul.sh.j2 dest={{ consul_root_dir }}/bin/consul mode=755 - notify: restart consul - tags: consul - - name: Install backup hooks template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/consul mode=755 loop: @@ -31,14 +26,8 @@ when: consul_tmpfiles.changed tags: consul -- name: Install vault agent unit file - template: src=vault/agent.service.j2 dest=/etc/systemd/system/consul-vault-agent.service - register: consul_vault_agent_unit - notify: restart consul-vault-agent - tags: consul - - name: Reload systemd systemd: daemon_reload=True - when: consul_unit.changed or consul_vault_agent_unit.changed + when: consul_unit.changed tags: consul diff --git a/roles/consul/tasks/services.yml b/roles/consul/tasks/services.yml index e95c9be..d872396 100644 --- a/roles/consul/tasks/services.yml +++ b/roles/consul/tasks/services.yml @@ -13,10 +13,3 @@ when: consul_ct_service.stat.exists tags: consul -- name: Handle consul-vault-agent service - service: - name: consul-vault-agent - state: "{{ (consul_vault_agent.pki.enabled) | ternary('started', 'stopped') }}" - enabled: "{{ (consul_vault_agent.pki.enabled) | ternary(True, False) }}" - tags: consul - diff --git a/roles/consul/templates/agent_token.tpl.j2 b/roles/consul/templates/agent_token.tpl.j2 deleted file mode 100644 index 32b11e6..0000000 --- a/roles/consul/templates/agent_token.tpl.j2 +++ /dev/null @@ -1,3 +0,0 @@ -[[ with secret "{{ consul_vault_agent.tokens.path }}/creds/{{ consul_vault_agent.tokens.role }}" ]] -[[ .Data.token ]] -[[ end ]] diff --git a/roles/consul/templates/consul.service.j2 b/roles/consul/templates/consul.service.j2 index 49ffb0d..5e7f21b 100644 --- a/roles/consul/templates/consul.service.j2 +++ b/roles/consul/templates/consul.service.j2 @@ -3,10 +3,6 @@ Description="HashiCorp Consul - A service mesh solution" Documentation=https://www.consul.io/ Requires=network-online.target After=network-online.target -After=consul-vault-agent.service -{% if consul_vault_agent.vault_address is defined and consul_vault_agent.pki.enabled %} -Requires=consul-vault-agent.service -{% endif %} ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl # Consul version {{ consul_current_version }} @@ -15,7 +11,7 @@ Type=notify EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env User={{ consul_user }} Group={{ consul_user }} -ExecStart={{ consul_root_dir }}/bin/consul +ExecStart=/usr/local/bin/consul agent -config-dir {{ consul_root_dir }}/etc/ ExecReload=/bin/kill --signal HUP $MAINPID SuccessExitStatus=1 Restart=on-failure diff --git a/roles/consul/templates/consul.sh.j2 b/roles/consul/templates/consul.sh.j2 deleted file mode 100644 index 3495d05..0000000 --- a/roles/consul/templates/consul.sh.j2 +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -{% if consul_vault_agent.vault_address is defined and consul_vault_agent.pki.enabled %} -if [ -f /run/consul/vault_token ]; then - exec env VAULT_TOKEN=$(vault unwrap -field=token $(jq -r '.token' /run/consul/vault_token)) \ - /usr/local/bin/consul \ - agent \ - -config-dir={{ consul_root_dir }}/etc/ \ - -pid-file /run/consul/consul_agent.pid -else - echo "Consul service failed due to missing Vault token" - exit 1 -fi -{% else %} -exec /usr/local/bin/consul \ - agent \ - -config-dir={{ consul_root_dir }}/etc/ \ - -pid-file /run/consul/consul_agent.pid -{% endif %} diff --git a/roles/consul/templates/vault/agent.hcl.j2 b/roles/consul/templates/vault/agent.hcl.j2 deleted file mode 100644 index ede3f1d..0000000 --- a/roles/consul/templates/vault/agent.hcl.j2 +++ /dev/null @@ -1,44 +0,0 @@ -vault { - address = "{{ consul_vault_agent.vault_address }}" -} - -auto_auth { -{% if consul_vault_agent.auth.approle is defined %} - method { - type = "approle" - config { - role_id_file_path = "{{ consul_root_dir }}/vault/role_id" - secret_id_file_path = "{{ consul_root_dir }}/vault/secret_id" - remove_secret_id_file_after_reading = false - } - } -{% elif consul_vault_agent.auth.token is defined %} - method { - type = "token_file" - config { - token_file_path = "{{ consul_root_dir }}/vault/token" - } - } -{% endif %} - - sink { - type = "file" - wrap_ttl = "30s" - config = { - path = "/run/consul/vault_token" - mode = 640 - } - } -} - -template { - source = "{{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl" - destination = "{{ consul_root_dir }}/tls/agent_bundle.pem" - left_delimiter = "[[" - right_delimiter = "]]" - perms = 0640 - exec { - command = ["sh", "-c", "kill -USR1 $(cat /run/consul/consul_agent.pid)"] - } -} - diff --git a/roles/consul/templates/vault/agent.service.j2 b/roles/consul/templates/vault/agent.service.j2 deleted file mode 100644 index bda46a1..0000000 --- a/roles/consul/templates/vault/agent.service.j2 +++ /dev/null @@ -1,34 +0,0 @@ -[Unit] -Description="HashiCorp Vault Agent for Consul" -Documentation=https://www.vaultproject.io/docs/ -Requires=network-online.target -After=network-online.target -ConditionFileNotEmpty={{ consul_root_dir }}/vault/agent.hcl -StartLimitIntervalSec=60 -StartLimitBurst=3 -PartOf=consul.service - -[Service] -Type=notify -User={{ consul_user }} -Group={{ consul_user }} -ProtectSystem=full -ProtectHome=read-only -PrivateTmp=yes -PrivateDevices=yes -SecureBits=keep-caps -AmbientCapabilities=CAP_IPC_LOCK -CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK -NoNewPrivileges=yes -ExecStart=/usr/local/bin/vault agent -config={{ consul_root_dir }}/vault/agent.hcl -ExecReload=/bin/kill --signal HUP $MAINPID -KillMode=process -KillSignal=SIGINT -Restart=on-failure -RestartSec=5 -TimeoutStopSec=30 -LimitNOFILE=65536 -LimitMEMLOCK=infinity - -[Install] -WantedBy=multi-user.target diff --git a/roles/consul/templates/vault/agent_bundle.pem.tpl.j2 b/roles/consul/templates/vault/agent_bundle.pem.tpl.j2 deleted file mode 100644 index 6d81192..0000000 --- a/roles/consul/templates/vault/agent_bundle.pem.tpl.j2 +++ /dev/null @@ -1,17 +0,0 @@ -{% if consul_conf.server %} -[[ with pkiCert "{{ consul_vault_agent.pki.path }}/issue/{{ consul_vault_agent.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}{% if consul_conf.alt_domain is defined %},consul.service.{{ consul_conf.alt_domain }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.alt_domain }}{% endif %}" "ttl=72h" ]] -[[ .CA ]] -[[ .Cert ]] -[[ .Key ]] -[[ .CA | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]] -[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]] -[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "{{ consul_user }}" "{{ consul_user }}" "0640" ]] -[[ end ]] -[[ with secret "{{ consul_vault_agent.pki.path }}/cert/ca" ]] -[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" "append,newline" ]] -[[ end ]] -{% else %} -[[ with secret "{{ consul_vault_agent.pki.path }}/cert/ca" ]] -[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]] -[[ end ]] -{% endif %} diff --git a/roles/consul/templates/vault/agent_token.tpl.j2 b/roles/consul/templates/vault/agent_token.tpl.j2 deleted file mode 100644 index 32b11e6..0000000 --- a/roles/consul/templates/vault/agent_token.tpl.j2 +++ /dev/null @@ -1,3 +0,0 @@ -[[ with secret "{{ consul_vault_agent.tokens.path }}/creds/{{ consul_vault_agent.tokens.role }}" ]] -[[ .Data.token ]] -[[ end ]] diff --git a/roles/consul/templates/vault/cli_bundle.pem.tpl.j2 b/roles/consul/templates/vault/cli_bundle.pem.tpl.j2 deleted file mode 100644 index dd988b8..0000000 --- a/roles/consul/templates/vault/cli_bundle.pem.tpl.j2 +++ /dev/null @@ -1,7 +0,0 @@ -[[ with pkiCert "{{ consul_vault_agent.pki.path }}/issue/{{ consul_vault_agent.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]] -[[ .CA ]] -[[ .Cert ]] -[[ .Key ]] -[[ .Cert | writeToFile "{{ consul_root_dir }}/tls/cli.crt" "{{ consul_user }}" "{{ consul_user }}" "0644" ]] -[[ .Key | writeToFile "{{ consul_root_dir }}/tls/cli.key" "{{ consul_user }}" "{{ consul_user }}" "0640" ]] -[[ end ]] diff --git a/roles/consul_bin/tasks/install.yml b/roles/consul_bin/tasks/install.yml index 6fb35e5..94c9205 100644 --- a/roles/consul_bin/tasks/install.yml +++ b/roles/consul_bin/tasks/install.yml @@ -5,9 +5,9 @@ name: "{{ consul_packages }}" tags: consul -# Migrate from the old vault role +# Migrate from the oldconsul role - name: Check if consul is a link - stat: path=/usr/local/bin/vault + stat: path=/usr/local/bin/consul register: consul_link tags: vault @@ -39,7 +39,7 @@ - name: Install bash completion support copy: content: | - complete -C {{ consul_root_dir }}/bin/consul consul + complete -C /usr/local/bin/consul consul dest: /etc/bash_completion.d/consul mode: 0644 tags: consul diff --git a/roles/includes/create_selfsigned_cert.yml b/roles/includes/create_selfsigned_cert.yml index c932828..9cec586 100644 --- a/roles/includes/create_selfsigned_cert.yml +++ b/roles/includes/create_selfsigned_cert.yml @@ -21,4 +21,4 @@ creates: "{{ cert_path }}" - name: Restrict permissions of the private key - file: path={{ cert_key_path }} owner={{ cert_key_user | default(omit) }} group={{ cert_key_group | default(omit) }} mode={{ cert_key_mode | default('600') }} + file: path={{ cert_key_path }} owner={{ cert_key_user | default(omit) }} group={{ cert_key_group | default(omit) }} mode={{ (cert_key_mode | default('600') == 'omit') | ternary(omit, cert_key_mode | default('600')) }} diff --git a/roles/matrix_synapse/defaults/main.yml b/roles/matrix_synapse/defaults/main.yml index 34dbfb0..d53df0f 100644 --- a/roles/matrix_synapse/defaults/main.yml +++ b/roles/matrix_synapse/defaults/main.yml @@ -1,7 +1,7 @@ --- # Synapse version to deploy -synapse_version: '1.86.0' +synapse_version: '1.87.0' # Should ansible handle Synapse upgrades ? If false, only initial install will be done synapse_manage_upgrade: True diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml index 65eb8f9..01a76a4 100644 --- a/roles/nomad/defaults/main.yml +++ b/roles/nomad/defaults/main.yml @@ -1,12 +1,5 @@ --- -# Version of Nomad to install -nomad_version: 1.5.6 -# URL of the archive -nomad_archive_url: https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip -# Expected sha256 of the archive -nomad_archive_sha256: 65a7d5a4c6ade01a44292901b05a7c985b4459e0a079b5eb55f5d61474ee98e5 - # List of plugins to install nomad_plugins: podman: @@ -27,10 +20,6 @@ nomad_user: "{{ nomad_conf.client.enabled | ternary('root', 'nomad') }}" # Used for example to grant access to cli cert with ACL nomad_admin_groups: "{{ system_admin_groups | default([]) }}" -# If ACL are enabled, you need to set a management token for ansible -# to be able to manage Nomad (eg snapshot before upgrades) -# nomad_mgm_token: XXXXXXXXX - # List of nomad servers (not clients !) nomad_servers: [] @@ -169,7 +158,7 @@ nomad_base_conf: # Default scheduler config. Only used during cluster bootstrap # If you want to change it after, you have to use the API default_scheduler_config: - # can be binpack or spread. SPread makes more sens when running on premise + # can be binpack or spread. Spread makes more sense when running on premise scheduler_algorithm: spread memory_oversubscription_enabled: True preemption_config: @@ -247,24 +236,3 @@ nomad_extra_services: {} nomad_host_services: {} nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}" -# When using vault to setup TLS for Nomad -nomad_base_vault_secrets: - vault_address: "{{ nomad_conf.vault.address | default('https://active.vault.service.consul:8200') }}" - # Token to use to issue certificates - # token: XXXXXXXXX - pki: - enabled: False - # The path of the PKI secret where cert will be issued - path: /pki/nomad - role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }} - # ttl: 6h # if not set, will use the default ttl of the role - consul_pki: - enabled: False - path: /pki/consul - root_path: /pki/root # This is used to fetch the top level root CA, as envoy can't validate the chain unless it has it complete up to the auto-signed root - role: nomad-client # Only nomad clients will use this - # ttl: 6h # if not set, will use the default ttl of the role - -nomad_extra_vault_secrets: {} -nomad_host_vault_secrets: {} -nomad_vault_secrets: "{{ nomad_base_vault_secrets | combine(nomad_extra_vault_secrets, recursive=True) | combine(nomad_host_vault_secrets, recursive=True) }}" diff --git a/roles/nomad/handlers/main.yml b/roles/nomad/handlers/main.yml index 158afc0..76d73eb 100644 --- a/roles/nomad/handlers/main.yml +++ b/roles/nomad/handlers/main.yml @@ -9,9 +9,5 @@ service: name=nomad state=reloaded when: nomad_service_started is not defined or not nomad_service_started.changed -- name: restart consul-template-nomad - service: name=consul-template-nomad state=restarted - -- name: systemd-tmpfiles - command: systemd-tmpfiles --create - +- name: restart nomad-vault-agent + service: name=nomad-vault-agent state=restarted diff --git a/roles/nomad/meta/main.yml b/roles/nomad/meta/main.yml index 6187688..5c4aae8 100644 --- a/roles/nomad/meta/main.yml +++ b/roles/nomad/meta/main.yml @@ -1,10 +1,10 @@ --- dependencies: + - role: nomad_bin - role: repo_docker when: nomad_conf.client.enabled and nomad_conf.client.task_drivers['containerd-driver'].enabled # with containerd, we need docker repo to install containerd.io - role: docker when: nomad_conf.client.enabled and nomad_conf.client.task_drivers.docker.enabled - role: cni_plugins when: nomad_conf.client.enabled - - role: consul_template # consul-template can be used for obtaining certs from vault diff --git a/roles/nomad/tasks/archive_post.yml b/roles/nomad/tasks/archive_post.yml deleted file mode 100644 index 108ac11..0000000 --- a/roles/nomad/tasks/archive_post.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: Compress previous version - command: tar cf {{ nomad_root_dir }}/archives/{{ nomad_current_version }}.tar.zst --use-compress-program=zstd ./ - args: - chdir: "{{ nomad_root_dir }}/archives/{{ nomad_current_version }}" - environment: - ZSTD_CLEVEL: 10 - tags: nomad - -- name: Remove archive dir - file: path={{ nomad_root_dir }}/archives/{{ nomad_current_version }} state=absent - tags: nomad - diff --git a/roles/nomad/tasks/archive_pre.yml b/roles/nomad/tasks/archive_pre.yml deleted file mode 100644 index a7f7560..0000000 --- a/roles/nomad/tasks/archive_pre.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -- name: Create the archive dir - file: path={{ nomad_root_dir }}/archives/{{ nomad_current_version }} state=directory - tags: nomad - -- name: Snapshot nomad data - command: "{{ nomad_root_dir }}/bin/nomad operator snapshot save {{ nomad_root_dir }}/archives/{{ nomad_current_version }}/nomad.snap" - args: - creates: "{{ nomad_root_dir }}/archives/{{ nomad_current_version }}/nomad.snap" - when: - - nomad_conf.server.enabled - - nomad_sys_services.ansible_facts.services['nomad.service'] is defined - - nomad_sys_services.ansible_facts.services['nomad.service'].state == 'started' - environment: - NOMAD_TOKEN: "{{ nomad_mgm_token | default(omit) }}" - tags: nomad - -- name: Backup previous version - synchronize: - src: "{{ nomad_root_dir }}/{{ item }}" - dest: "{{ nomad_root_dir }}/archives/{{ nomad_current_version }}/" - compress: False - delegate_to: "{{ inventory_hostname }}" - loop: - - bin - - plugins - tags: nomad - diff --git a/roles/nomad/tasks/cleanup.yml b/roles/nomad/tasks/cleanup.yml index 947e2e9..02b0043 100644 --- a/roles/nomad/tasks/cleanup.yml +++ b/roles/nomad/tasks/cleanup.yml @@ -3,8 +3,7 @@ - name: Remove tmp and obsolete files file: path={{ item }} state=absent loop: - - "{{ nomad_root_dir }}/tmp/nomad_{{ nomad_version }}_linux_amd64.zip" - - "{{ nomad_root_dir }}/tmp/nomad" + - "{{ nomad_root_dir }}/archives" tags: nomad - name: Remove temporary plugin files diff --git a/roles/nomad/tasks/conf.yml b/roles/nomad/tasks/conf.yml index 1721c51..9d87a79 100644 --- a/roles/nomad/tasks/conf.yml +++ b/roles/nomad/tasks/conf.yml @@ -5,8 +5,7 @@ vars: cert_path: "{{ nomad_conf.tls.cert_file }}" cert_key_path: "{{ nomad_conf.tls.key_file }}" - cert_key_group: "{{ nomad_user }}" - cert_key_mode: 640 + cert_key_mode: omit tags: nomad - name: Check if CA exists @@ -26,8 +25,7 @@ vars: cert_path: "{{ nomad_conf.consul.cert_file }}" cert_key_path: "{{ nomad_conf.consul.key_file }}" - cert_key_group: "{{ nomad_user }}" - cert_key_mode: 640 + cert_key_mode: omit tags: nomad - name: Check if CA exists @@ -113,27 +111,67 @@ loop: "{{ nomad_backup_configs.stdout_lines }}" tags: nomad -- name: Deploy consul-template config - template: src=consul-template.hcl.j2 dest={{ nomad_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root - notify: restart consul-template-nomad - when: nomad_vault_secrets.pki.enabled or nomad_vault_secrets.tokens.enabled - tags: nomad - -- name: Deploy consul-template agent bundle template - template: src=agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root - notify: restart consul-template-nomad - when: nomad_vault_secrets.pki.enabled - tags: nomad - -- name: Deploy consul-template cli bundle template - template: src=cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root - notify: restart consul-template-nomad - when: nomad_vault_secrets.pki.enabled and nomad_conf.server.enabled - tags: nomad +#- name: Deploy vault-agent config +# template: src=vault/agent.hcl.j2 dest={{ nomad_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ nomad_user }} +# notify: restart nomad-vault-agent +# when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled +# tags: nomad +# +#- name: Deploy agent cert bundle template +# template: src=vault/agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root +# notify: restart nomad-vault-agent +# when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled +# tags: nomad +# +#- name: Deploy cli cert bundle template +# template: src=vault/cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/cli_bundle.pem.tpl owner=root group=root +# notify: restart nomad-vault-agent +# when: (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled) and nomad_conf.server.enabled +# tags: nomad +# +#- name: Deploy consul token template +# template: src=vault/consul_token.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/consul_token.tpl owner=root group=root +# notify: restart nomad-vault-agent +# when: (nomad_vault_agent.consul_token.enabled) and nomad_conf.server.enabled +# tags: nomad +# +#- fail: msg="Only one of token or approle should be configured" +# when: +# - nomad_vault_agent.auth.approle is defined +# - nomad_vault_agent.auth.token is defined +# tags: nomad +# +#- name: Setup AppRole auth +# block: +# - copy: content={{ nomad_vault_agent.auth.approle.role_id }} dest={{ nomad_root_dir }}/vault/role_id owner=root group={{ nomad_user }} mode=640 +# - copy: content={{ nomad_vault_agent.auth.approle.secret_id }} dest={{ nomad_root_dir }}/vault/secret_id owner=root group={{ nomad_user }} mode=640 +# - file: path={{ nomad_root_dir }}/vault/token state=absent +# when: +# - nomad_vault_agent.auth is defined +# - nomad_vault_agent.auth.approle is defined +# - nomad_vault_agent.auth.approle.role_id is defined +# - nomad_vault_agent.auth.approle.secret_id is defined +# tags: nomad +# +#- name: Setup Token auth +# block: +# - copy: content={{ nomad_vault_agent.auth.token }} dest={{ nomad_root_dir }}/vault/token owner=root group={{ nomad_user }} mode=640 +# - file: path={{ nomad_root_dir }}/vault/role_id state=absent +# - file: path={{ nomad_root_dir }}/vault/secret_id state=absent +# when: +# - nomad_vault_agent.auth is defined +# - nomad_vault_agent.auth.token is defined +# tags: nomad - name: Set ACL on the TLS dir shell: | - setfacl -R -k -b {{ nomad_root_dir }}/tls + setfacl -R -b -k {{ nomad_root_dir }}/tls + chown -R :{{ nomad_user }} {{ nomad_root_dir }}/tls + chmod 750 {{ nomad_root_dir }}/tls + chmod 640 {{ nomad_root_dir }}/tls/* + setfacl -m u:{{ nomad_user }}:rx {{ nomad_root_dir }}/tls + setfacl -m d:u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls + setfacl -m u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls/* {% if nomad_admin_groups | length > 0 %} setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls @@ -147,12 +185,6 @@ template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh tags: nomad -- name: Deploy consul-template consul cert templates - template: src=consul_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/consul_bundle.pem.tpl owner=root group=root - notify: restart consul-template-nomad - when: nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl - tags: nomad - - name: Ensure the bridge module is loaded modprobe: name=bridge state=present when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers diff --git a/roles/nomad/tasks/directories.yml b/roles/nomad/tasks/directories.yml index 0741a0a..cd25eb8 100644 --- a/roles/nomad/tasks/directories.yml +++ b/roles/nomad/tasks/directories.yml @@ -7,10 +7,6 @@ owner: root group: root mode: 755 - - dir: archives - owner: root - group: root - mode: 700 - dir: backup owner: root group: root @@ -37,8 +33,11 @@ owner: root mode: 755 - dir: tls - owner: root - mode: 755 - - dir: consul-template - mode: 755 tags: nomad + +- name: Create host_volume directories + file: path={{ item.path }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} + loop: "{{ nomad_conf.client.host_volumes | default([]) }}" + when: item.create | default(False) + tags: nomad + diff --git a/roles/nomad/tasks/facts.yml b/roles/nomad/tasks/facts.yml index 594843d..96efb83 100644 --- a/roles/nomad/tasks/facts.yml +++ b/roles/nomad/tasks/facts.yml @@ -1,28 +1,6 @@ --- -# Load distribution specific variables -- include_vars: "{{ item }}" - with_first_found: - - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" - - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" - - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" - tags: nomad - -- set_fact: nomad_install_mode='none' - tags: nomad - -- name: Detect if nomad is installed - stat: path=/usr/local/bin/nomad - register: nomad_bin - tags: nomad - -- when: not nomad_bin.stat.exists - set_fact: nomad_install_mode='install' - tags: nomad - -- when: nomad_bin.stat.exists - block: +- block: - name: Detect installed version shell: /usr/local/bin/nomad version | perl -ne '/Nomad v(\d+(\.\d+)*)\s.*/ && print "$1\n"' changed_when: False @@ -30,15 +8,11 @@ - set_fact: nomad_current_version={{ nomad_current_version.stdout }} tags: nomad -- when: nomad_bin.stat.exists and nomad_current_version != nomad_version - set_fact: nomad_install_mode='upgrade' - tags: nomad - - name: Build a list of enabled task drivers set_fact: nomad_enabled_task_drivers={{ nomad_conf.client.task_drivers | dict2items | selectattr('value.enabled', 'equalto', True) | map(attribute='key') }} tags: nomad -- name: Check the state of the services - service_facts: - register: nomad_sys_services +- name: Check if the consul-template service still exists + stat: path=/etc/systemd/system/consul-template-nomad + register: nomad_ct_service tags: nomad diff --git a/roles/nomad/tasks/install.yml b/roles/nomad/tasks/install.yml index 40b597e..baeb19b 100644 --- a/roles/nomad/tasks/install.yml +++ b/roles/nomad/tasks/install.yml @@ -1,10 +1,5 @@ --- -- name: Install needed tools - package: - name: "{{ nomad_packages }}" - tags: nomad - - name: Install task driver packages package: name={{ nomad_task_driver_packages[item] }} loop: "{{ nomad_enabled_task_drivers }}" @@ -12,43 +7,20 @@ notify: restart nomad tags: nomad -- when: nomad_install_mode == 'upgrade' - name: Clear plugin dir on upgrades - file: path={{ nomad_root_dir }}/plugins state={{ item }} owner={{ nomad_user }} group={{ nomad_user }} - loop: - - absent - - directory +- name: Deploy systemd service unit + template: src=nomad.service.j2 dest=/etc/systemd/system/nomad.service + register: nomad_unit + notify: restart nomad tags: nomad -- when: nomad_install_mode != 'none' +- when: nomad_conf.client.enabled and nomad_unit.changed block: - - name: Download nomad - get_url: - url: "{{ nomad_archive_url }}" - dest: "{{ nomad_root_dir }}/tmp" - checksum: sha256:{{ nomad_archive_sha256 }} - - name: Extract the archive - unarchive: - src: "{{ nomad_root_dir }}/tmp/nomad_{{ nomad_version }}_linux_amd64.zip" - dest: "{{ nomad_root_dir }}/tmp" - remote_src: True - - - name: Install nomad binary - copy: - src: "{{ nomad_root_dir }}/tmp/nomad" - dest: "{{ nomad_root_dir }}/bin/nomad" - remote_src: True - mode: 755 - notify: restart nomad - - - name: Link in /usr/local/bin - file: src={{ nomad_root_dir }}/bin/nomad dest=/usr/local/bin/nomad state=link force=True - - tags: nomad - -- when: nomad_install_mode != 'none' and nomad_conf.client.enabled - block: + - name: Clear plugin dir on upgrades + file: path={{ nomad_root_dir }}/plugins state={{ item }} owner={{ nomad_user }} group={{ nomad_user }} + loop: + - absent + - directory - name: Download plugins get_url: @@ -100,24 +72,11 @@ - name: Install bash completion support copy: content: | - complete -C {{ nomad_root_dir }}/bin/nomad nomad + complete -C /usr/local/bin/nomad nomad dest: /etc/bash_completion.d/nomad mode: 0644 tags: nomad -- name: Deploy systemd service unit - template: src=nomad.service.j2 dest=/etc/systemd/system/nomad.service - register: nomad_unit - notify: restart nomad - tags: nomad - -- name: Install consul-template unit - template: src=consul-template-nomad.service.j2 dest=/etc/systemd/system/consul-template-nomad.service - register: nomad_consul_tpl_unit - notify: restart consul-template-nomad - when: nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled - tags: nomad - - name: Install backup hooks template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=755 loop: @@ -125,14 +84,21 @@ - post tags: nomad +# A tmpfs will be used to store tokens and other sensitive information - name: Create tmpfile fragment copy: content: | d /run/nomad 775 root {{ nomad_user }} dest: /etc/tmpfiles.d/nomad.conf - notify: systemd-tmpfiles + register: nomad_tmpfiles tags: nomad +- name: Create tmpfiles + command: systemd-tmpfiles --create + when: nomad_tmpfiles.changed + tags: nomad + +# This script cleanups leftovers in iptables rules on boot - name: Install iptables cleanup script copy: src=iptables_cleanup.pl dest={{ nomad_root_dir }}/bin/iptables_cleanup.pl mode=755 tags: nomad @@ -144,7 +110,7 @@ - name: Reload systemd systemd: daemon_reload=True - when: nomad_unit.changed or nomad_ipt_cleanup_unit.changed or (nomad_consul_tpl_unit is defined and nomad_consul_tpl_unit.changed) + when: nomad_unit.changed or nomad_ipt_cleanup_unit.changed tags: nomad # This is needed for containers to be able to reach their own services through the host published port @@ -152,8 +118,3 @@ copy: src=50-nomad-promisc dest=/etc/NetworkManager/dispatcher.d/50-nomad-promisc mode=755 tags: nomad -- name: Create host_volume directories - file: path={{ item.path }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} - loop: "{{ nomad_conf.client.host_volumes | default([]) }}" - when: item.create | default(False) - tags: nomad diff --git a/roles/nomad/tasks/main.yml b/roles/nomad/tasks/main.yml index 3ff02fe..152f76b 100644 --- a/roles/nomad/tasks/main.yml +++ b/roles/nomad/tasks/main.yml @@ -10,10 +10,6 @@ - include_tasks: facts.yml tags: always -- include_tasks: archive_pre.yml - when: nomad_install_mode | default('none') == 'upgrade' - tags: always - - include_tasks: install.yml tags: always @@ -27,10 +23,6 @@ - include_tasks: services.yml tags: always -- include_tasks: archive_post.yml - when: nomad_install_mode | default('none') == 'upgrade' - tags: always - - include_tasks: cleanup.yml tags: always diff --git a/roles/nomad/tasks/services.yml b/roles/nomad/tasks/services.yml index 0c7e0ac..98a8d8a 100644 --- a/roles/nomad/tasks/services.yml +++ b/roles/nomad/tasks/services.yml @@ -8,8 +8,9 @@ - name: Handle consul-template-nomad service service: name: consul-template-nomad - state: "{{ (nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled or nomad_vault_secrets.tokens.enabled) | ternary('started', 'stopped') }}" - enabled: "{{ (nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled or nomad_vault_secrets.tokens.enabled) | ternary(True, False) }}" + state: stopped + enabled: False + when: nomad_ct_service.stat.exists tags: nomad - name: Handle iptables-nomad-cleanup service @@ -17,3 +18,11 @@ name: iptables-nomad-cleanup enabled: "{{ (nomad_conf.client.enabled and iptables_manage | default(True)) | ternary(True, False) }}" tags: nomad + +#- name: Handle nomad-vault-agent service +# service: +# name: nomad-vault-agent +# state: "{{ (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled or nomad_vault_agent.consul_token.enabled) | ternary('started', 'stopped') }}" +# enabled: "{{ (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled or nomad_vault_agent.consul_token.enabled) | ternary(True, False) }}" +# tags: nomad + diff --git a/roles/nomad/templates/nomad.service.j2 b/roles/nomad/templates/nomad.service.j2 index f779141..0fb184f 100644 --- a/roles/nomad/templates/nomad.service.j2 +++ b/roles/nomad/templates/nomad.service.j2 @@ -5,10 +5,14 @@ Wants=network-online.target After=network-online.target After=vault.service After=consul.service +After=nomad-vault-agent.service ConditionFileNotEmpty={{ nomad_root_dir }}/etc/nomad.hcl +# Nomad version {{ nomad_current_version }} [Service] EnvironmentFile=-{{ nomad_root_dir }}/etc/nomad.env +EnvironmentFile=-/run/nomad/vault.env +EnvironmentFile=-/run/nomad/consul.env {% if nomad_conf.consul.ssl and nomad_conf.client.enabled %} Environment=CONSUL_HTTP_SSL=true Environment=CONSUL_HTTP_ADDR=localhost:{{ (consul_services is defined) | ternary(consul_services.https.port, '8501') }} @@ -18,7 +22,7 @@ Environment=CONSUL_CLIENT_KEY={{ nomad_conf.consul.key_file }} {% endif %} User={{ nomad_user }} Group={{ nomad_user }} -ExecStart={{ nomad_root_dir }}/bin/nomad agent -config={{ nomad_root_dir }}/etc/ +ExecStart=/usr/local/bin/nomad agent -config {{ nomad_root_dir }}/etc ExecReload=/bin/kill --signal HUP $MAINPID Restart=on-failure LimitNOFILE=65536 diff --git a/roles/nomad/templates/pre-backup.j2 b/roles/nomad/templates/pre-backup.j2 index 00ca6b2..aa934a8 100644 --- a/roles/nomad/templates/pre-backup.j2 +++ b/roles/nomad/templates/pre-backup.j2 @@ -5,8 +5,6 @@ set -eo pipefail {% if nomad_conf.tls.http %} NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }} \ NOMAD_CACERT={{ nomad_conf.tls.ca_file }} \ -{% endif %} -{% if nomad_vault_secrets.pki.enabled %} NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt \ NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key \ {% endif %} diff --git a/roles/nomad/templates/profile.sh.j2 b/roles/nomad/templates/profile.sh.j2 index 2482e03..f442961 100644 --- a/roles/nomad/templates/profile.sh.j2 +++ b/roles/nomad/templates/profile.sh.j2 @@ -1,11 +1,9 @@ {% if nomad_conf.tls.http and nomad_conf.server.enabled %} export NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }} export NOMAD_CACERT={{ nomad_conf.tls.ca_file }} -{% if nomad_vault_secrets.pki.enabled %} export NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt export NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key export NOMAD_TLS_SERVER_NAME=server.{{ nomad_conf.region | default('global') }}.nomad -{% endif %} {% else %} # TLS not enabled or not running in server mode {% endif %} diff --git a/roles/nomad_bin/defaults/main.yml b/roles/nomad_bin/defaults/main.yml new file mode 100644 index 0000000..e2a3e9e --- /dev/null +++ b/roles/nomad_bin/defaults/main.yml @@ -0,0 +1,9 @@ +--- + +# Version of Nomad to install +nomad_version: 1.5.6 +# URL of the archive +nomad_archive_url: https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip +# Expected sha256 of the archive +nomad_archive_sha256: 65a7d5a4c6ade01a44292901b05a7c985b4459e0a079b5eb55f5d61474ee98e5 + diff --git a/roles/nomad_bin/tasks/facts.yml b/roles/nomad_bin/tasks/facts.yml new file mode 100644 index 0000000..4d800ed --- /dev/null +++ b/roles/nomad_bin/tasks/facts.yml @@ -0,0 +1,36 @@ +--- + +# Load distribution specific variables +- include_vars: "{{ item }}" + with_first_found: + - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" + tags: nomad + +- set_fact: nomad_install_mode='none' + tags: nomad + +- name: Detect if nomad is installed + stat: path=/usr/local/bin/nomad + register: nomad_bin + tags: nomad + +- when: not nomad_bin.stat.exists + set_fact: nomad_install_mode='install' + tags: nomad + +- when: nomad_bin.stat.exists + block: + - name: Detect installed version + shell: /usr/local/bin/nomad version | perl -ne '/Nomad v(\d+(\.\d+)*)\s.*/ && print "$1\n"' + changed_when: False + register: nomad_current_version + - set_fact: nomad_current_version={{ nomad_current_version.stdout }} + tags: nomad + +- when: nomad_bin.stat.exists and nomad_current_version != nomad_version + set_fact: nomad_install_mode='upgrade' + tags: nomad + diff --git a/roles/nomad_bin/tasks/install.yml b/roles/nomad_bin/tasks/install.yml new file mode 100644 index 0000000..1ae5f65 --- /dev/null +++ b/roles/nomad_bin/tasks/install.yml @@ -0,0 +1,46 @@ +--- + +- name: Install needed tools + package: + name: "{{ nomad_packages }}" + tags: nomad + +# Migrate from the old nomad role +- name: Check if nomad is a link + stat: path=/usr/local/bin/nomad + register: nomad_link + tags: vault + +- when: nomad_link.stat.islnk is defined and nomad_link.stat.islnk + block: + - name: Remove nomad link + file: path=/usr/local/bin/nomad state=absent + - set_fact: nomad_install_mode='upgrade' + tags: vault + +- when: nomad_install_mode != 'none' + block: + - name: Download nomad + get_url: + url: "{{ nomad_archive_url }}" + dest: /tmp + checksum: sha256:{{ nomad_archive_sha256 }} + + - name: Extract the archive + unarchive: + src: "/tmp/nomad_{{ nomad_version }}_linux_amd64.zip" + dest: /usr/local/bin + include: nomad + mode: 755 + remote_src: True + + tags: nomad + +- name: Install bash completion support + copy: + content: | + complete -C /usr/local/bin/nomad nomad + dest: /etc/bash_completion.d/nomad + mode: 0644 + tags: nomad + diff --git a/roles/nomad_bin/tasks/main.yml b/roles/nomad_bin/tasks/main.yml new file mode 100644 index 0000000..3e2dceb --- /dev/null +++ b/roles/nomad_bin/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- include_tasks: facts.yml + tags: always + +- include_tasks: install.yml + tags: always diff --git a/roles/nomad_bin/vars/RedHat.yml b/roles/nomad_bin/vars/RedHat.yml new file mode 100644 index 0000000..75f1789 --- /dev/null +++ b/roles/nomad_bin/vars/RedHat.yml @@ -0,0 +1,8 @@ +--- + +nomad_packages: + - tar + - zstd + - unzip + - acl + diff --git a/roles/sftpgo/defaults/main.yml b/roles/sftpgo/defaults/main.yml index 48a366a..30fe65a 100644 --- a/roles/sftpgo/defaults/main.yml +++ b/roles/sftpgo/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version to deploy -sftpgo_version: 2.5.2 +sftpgo_version: 2.5.3 # URL of the archive sftpgo_archive_url: https://github.com/drakkan/sftpgo/releases/download/v{{ sftpgo_version }}/sftpgo_v{{ sftpgo_version }}_linux_x86_64.tar.xz # Expected sha1 of the archive -sftpgo_archive_sha256: b55e25addc4a9db6f49b869274a6b15294e2a0c7335b242be736c51ddca22835 +sftpgo_archive_sha256: d4b97469052bc67cdc8d833d81a854669e7c3c0d9159de6ca2c2614694dc1c07 # Should ansible handle upgrades ? If False, only initial install will be done sftpgo_manage_upgrade: True diff --git a/roles/vault_agent/defaults/main/consul.yml b/roles/vault_agent/defaults/main/consul.yml new file mode 120000 index 0000000..ddd7fe7 --- /dev/null +++ b/roles/vault_agent/defaults/main/consul.yml @@ -0,0 +1 @@ +../../../consul/defaults/main.yml \ No newline at end of file diff --git a/roles/vault_agent/defaults/main/main.yml b/roles/vault_agent/defaults/main/main.yml new file mode 100644 index 0000000..bbb7eb6 --- /dev/null +++ b/roles/vault_agent/defaults/main/main.yml @@ -0,0 +1,92 @@ +--- + +vault_agent_root_dir: /opt/vault_agent + +# Address of the vault server +vault_agent_vault_address: https://vault.service.consul + +# Type of authentication. Can be token or approle +vault_agent_auth: approle + +# If auth is approle, you have to set vault_agent_approle_role_id and vault_agent_approle_secret_id +# vault_agent_approle_role_id: XXXXX +# vault_agent_approle_secret_id: XXXXXXX + +# If auth is token, you have to set vault_agent_token +# vault_agent_token: XXXXX + +# List of sinks where the token can be written +vault_agent_sinks: [] +# vault_agent_sinks: +# - path: /tmp/vault.token +# wrap_ttl: 20s +# mode: 600 + + +# List of templates +vault_agent_templates: [] +# vault_agent_templates: +# # Use only one of source or contents +# - source: /srv/foo.tpl +# contents: "{{ with secret \"kv/bar\" }}{{.Data.data.baz}}{{ end }}" +# destination: /src/foo +# left_delimiter = "[[" +# right_delimiter = "]]" +# perms: 0600 +# exec: +# timeout: 30s +# command: systemctl restart foo.service + +vault_agent_nomad_base: + # Should vault-agent fetch a vault token for use by Nomad + vault_token: + enabled: False + role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }} + + # Should vault-agent fetch certificates from vault for use by Nomad agent + nomad_pki: + enabled: False + path: pki/nomad + role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }} + ttl: 72h + # Vault can get a client certificate for administrative tasks + cli: + enabled: "{{ nomad_conf.server.enabled | ternary(True, False) }}" + role: nomad-user + ttl: 72h + # When renewing this cert, vault-agent can update nomad secret (so vault can connect to the Nomad API to manage tokens) + # secret_path: nomad + + # Should vault-agent fetch a certificate to connect on Consul. This is required when using Consul Connect + # Even if a Consul agent is available on localhost with no TLS + consul_pki: + enabled: False + path: pki/consul + role: nomad-client # Only Nomad clients will use Consul PKI + ttl: 72h + + # Should vault-agent fetch a consul token. It'll be used to register services in Consul service catalog + consul_token: + enabled: False + # The path of the consul secret engine + path: consul + # The role used to get the token + role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }} + +vault_agent_nomad_extra: {} +vault_agent_nomad_host: {} +vault_agent_nomad: "{{ vault_agent_nomad_base | combine(vault_agent_nomad_extra, recursive=True) | combine(vault_agent_nomad_host, recursive=True) }}" + + +vault_agent_consul_base: + # Should vault-agent fetch certificates for Consul agent + consul_pki: + enabled: False + path: pki/consul + role: consul-{{ consul_conf.server | ternary('server', 'client') }} + ttl: 72h + +vault_agent_consul_extra: {} +vault_agent_consul_host: {} +vault_agent_consul: "{{ vault_agent_consul_base | combine(vault_agent_consul_extra, recursive=True) | combine(vault_agent_consul_host, recursive=True) }}" + diff --git a/roles/vault_agent/defaults/main/nomad.yml b/roles/vault_agent/defaults/main/nomad.yml new file mode 120000 index 0000000..8fcbd74 --- /dev/null +++ b/roles/vault_agent/defaults/main/nomad.yml @@ -0,0 +1 @@ +../../../nomad/defaults/main.yml \ No newline at end of file diff --git a/roles/vault_agent/handlers/main.yml b/roles/vault_agent/handlers/main.yml new file mode 100644 index 0000000..7a55edc --- /dev/null +++ b/roles/vault_agent/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: restart vault-agent + service: name=vault-agent state=restarted diff --git a/roles/vault_agent/meta/main.yml b/roles/vault_agent/meta/main.yml new file mode 100644 index 0000000..09d702f --- /dev/null +++ b/roles/vault_agent/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - role: vault_bin diff --git a/roles/vault_agent/tasks/conf.yml b/roles/vault_agent/tasks/conf.yml new file mode 100644 index 0000000..dbc4fdc --- /dev/null +++ b/roles/vault_agent/tasks/conf.yml @@ -0,0 +1,33 @@ +--- + +- name: Deploy main configuration + template: src=vault-agent.hcl.j2 dest={{ vault_agent_root_dir }}/etc/vault-agent.hcl mode=0600 + notify: restart vault-agent + tags: vault,consul,nomad + +- name: Deploy Nomad and Consul configuration + template: src={{ item }}/{{ item }}.hcl.j2 dest={{ vault_agent_root_dir }}/etc/{{ item }}.hcl + loop: + - nomad + - consul + notify: restart vault-agent + tags: vault,consul,nomad + +- name: Setup AppRole auth + block: + - copy: content={{ vault_agent_approle_role_id }} dest={{ vault_agent_root_dir }}/auth/role_id owner=root group=root mode=600 + - copy: content={{ vault_agent_approle_secret_id }} dest={{ vault_agent_root_dir }}/auth/secret_id owner=root group=root mode=600 + - file: path={{ vault_agent_root_dir }}/auth/token state=absent + when: + - vault_agent_auth == 'approle' + tags: nomad + +- name: Setup Token auth + block: + - copy: content={{ vault_agent_token }} dest={{ vault_agent_root_dir }}/auth/token owner=root group=root mode=640 + - file: path={{ vault_agent_root_dir }}/auth/role_id state=absent + - file: path={{ vault_agent_root_dir }}/auth/secret_id state=absent + when: + - vault_agent_auth == 'token' + tags: nomad + diff --git a/roles/vault_agent/tasks/directories.yml b/roles/vault_agent/tasks/directories.yml new file mode 100644 index 0000000..04924bd --- /dev/null +++ b/roles/vault_agent/tasks/directories.yml @@ -0,0 +1,18 @@ +--- + +- name: Create needed directories + file: path={{ vault_agent_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} + loop: + - dir: / + owner: root + group: root + mode: 755 + - dir: etc + mode: 700 + - dir: auth + mode: 700 + - dir: bin + - dir: templates/nomad + - dir: templates/consul + tags: vault,consul,nomad + diff --git a/roles/vault_agent/tasks/install.yml b/roles/vault_agent/tasks/install.yml new file mode 100644 index 0000000..14204ae --- /dev/null +++ b/roles/vault_agent/tasks/install.yml @@ -0,0 +1,47 @@ +--- + +- name: Install systemd unit + template: src=vault-agent.service.j2 dest=/etc/systemd/system/vault-agent.service + register: vault_agent_unit + notify: restart vault-agent + tags: vault,consul,nomad + +- name: Install Nomad templates + template: src=nomad/{{ item }}.j2 dest={{ vault_agent_root_dir }}/templates/nomad/{{ item }} + loop: + - vault.env.tpl + - agent_bundle.pem.tpl + - cli_bundle.pem.tpl + - consul_bundle.pem.tpl + - consul.env.tpl + notify: restart vault-agent + tags: vault,consul,nomad + +- name: Install Consul templates + template: src=consul/{{ item }}.j2 dest={{ vault_agent_root_dir }}/templates/consul/{{ item }} + loop: + - agent_bundle.pem.tpl + notify: restart vault-agent + tags: vault,consul,nomad + +- name: Create tmpfile fragment + copy: + content: | + d /run/vault_agent 770 root root + dest: /etc/tmpfiles.d/vault-agent.conf + register: vault_tmpfiles + tags: vault,consul,nomad + +- name: Create tmpfiles + command: systemd-tmpfiles --create + when: vault_tmpfiles.changed + tags: vault,consul,nomad + +- name: Reload systemd + systemd: daemon_reload=True + when: vault_agent_unit.changed + tags: vault,consul,nomad + +- name: Install Nomad API access updater + template: src=nomad/update_nomad_cert.sh.j2 dest={{ vault_agent_root_dir }}/bin/update_nomad_cert.sh mode=755 + tags: vault,consul,nomad diff --git a/roles/vault_agent/tasks/main.yml b/roles/vault_agent/tasks/main.yml new file mode 100644 index 0000000..2ef9852 --- /dev/null +++ b/roles/vault_agent/tasks/main.yml @@ -0,0 +1,13 @@ +--- + +- include_tasks: directories.yml + tags: always + +- include_tasks: install.yml + tags: always + +- include_tasks: conf.yml + tags: always + +- include_tasks: services.yml + tags: always diff --git a/roles/vault_agent/tasks/services.yml b/roles/vault_agent/tasks/services.yml new file mode 100644 index 0000000..ca8bdc6 --- /dev/null +++ b/roles/vault_agent/tasks/services.yml @@ -0,0 +1,5 @@ +--- + +- name: Start and enable vault-agent + service: name=vault-agent state=started enabled=True + tags: vault,nomad,consul diff --git a/roles/vault_agent/templates/consul/agent_bundle.pem.tpl.j2 b/roles/vault_agent/templates/consul/agent_bundle.pem.tpl.j2 new file mode 100644 index 0000000..eab31d1 --- /dev/null +++ b/roles/vault_agent/templates/consul/agent_bundle.pem.tpl.j2 @@ -0,0 +1,13 @@ +{% if consul_conf.server %} +[[ with pkiCert "{{ vault_agent_consul.consul_pki.path }}/issue/{{ vault_agent_consul.consul_pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}{% if consul_conf.alt_domain is defined %},consul.service.{{ consul_conf.alt_domain }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.alt_domain }}{% endif %}"{% if vault_agent_consul.consul_pki.ttl is defined %} "ttl={{ vault_agent_consul.consul_pki.ttl }}"{% endif %} ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "{{ consul_user }}" "0644" ]] +[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "root" "{{ consul_user }}" "0640" ]] +[[ end ]] +{% else %} +[[ with secret "{{ vault_agent_consul.consul_pki.path }}/cert/ca_chain" ]] +[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "{{ consul_user }}" "0644" ]] +[[ end ]] +{% endif %} diff --git a/roles/vault_agent/templates/consul/consul.hcl.j2 b/roles/vault_agent/templates/consul/consul.hcl.j2 new file mode 100644 index 0000000..ccc9557 --- /dev/null +++ b/roles/vault_agent/templates/consul/consul.hcl.j2 @@ -0,0 +1,12 @@ +{% if vault_agent_consul.consul_pki.enabled %} +template { + source = "{{ vault_agent_root_dir }}/templates/consul/agent_bundle.pem.tpl" + destination = "{{ consul_root_dir }}/tls/agent_bundle.pem" + left_delimiter = "[[" + right_delimiter = "]]" + perms = 0640 + exec { + command = ["systemctl", "reload", "consul"] + } +} +{% endif %} diff --git a/roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2 b/roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2 new file mode 100644 index 0000000..a934284 --- /dev/null +++ b/roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2 @@ -0,0 +1,10 @@ +[[ with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}{% if consul_conf is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.domain | default('consul') }}{% if consul_conf is defined and consul_conf.alt_domain is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.alt_domain }}{% endif %}{% endif %}"{% if nomad_vault_secrets.pki.ttl is defined %} "ttl={{ vault_agent_nomad.nomad_pki.ttl }}"{% endif %} ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .Cert | writeToFile "{{ nomad_conf.tls.cert_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]] +[[ .Key | writeToFile "{{ nomad_conf.tls.key_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0640" ]] +[[ end ]] +[[ with secret "{{ vault_agent_nomad.nomad_pki.path }}/cert/ca_chain" ]] +[[ .Data.certificate | writeToFile "{{ nomad_conf.tls.ca_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]] +[[ end ]] diff --git a/roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2 b/roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2 new file mode 100644 index 0000000..eade2b3 --- /dev/null +++ b/roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2 @@ -0,0 +1,6 @@ +[[ with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" ]] +[[ .Cert ]] +[[ .Key ]] +[[ .Cert | writeToFile "{{ nomad_root_dir }}/tls/cli.crt" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]] +[[ .Key | writeToFile "{{ nomad_root_dir }}/tls/cli.key" "{{ nomad_user }}" "{{ nomad_user }}" "0640" ]] +[[ end ]] diff --git a/roles/vault_agent/templates/nomad/consul.env.tpl.j2 b/roles/vault_agent/templates/nomad/consul.env.tpl.j2 new file mode 100644 index 0000000..31dd8dd --- /dev/null +++ b/roles/vault_agent/templates/nomad/consul.env.tpl.j2 @@ -0,0 +1,3 @@ +[[- with secret "{{ vault_agent_nomad.consul_token.path }}/creds/{{ vault_agent_nomad.consul_token.role }}" -]] +CONSUL_HTTP_TOKEN=[[ .Data.token ]] +[[- end -]] diff --git a/roles/vault_agent/templates/nomad/consul_bundle.pem.tpl.j2 b/roles/vault_agent/templates/nomad/consul_bundle.pem.tpl.j2 new file mode 100644 index 0000000..7152c24 --- /dev/null +++ b/roles/vault_agent/templates/nomad/consul_bundle.pem.tpl.j2 @@ -0,0 +1,10 @@ +[[ with pkiCert "{{ vault_agent_nomad.consul_pki.path }}/issue/{{ vault_agent_nomad.consul_pki.role }}" "common_name={{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ (consul_conf is defined and consul_conf.domain is defined) | ternary(consul_conf.domain, 'consul') }}"{% if vault_agent_nomad.consul_pki.ttl is defined %} "ttl={{ vault_agent_nomad.consul_pki.ttl }}"{% endif %} ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .Cert | writeToFile "{{ nomad_conf.consul.cert_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]] +[[ .Key | writeToFile "{{ nomad_conf.consul.key_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0640" ]] +[[ end ]] +[[ with secret "{{ vault_agent_nomad.consul_pki.path }}/cert/ca_chain" ]] +[[ .Data.certificate | writeToFile "{{ nomad_conf.consul.ca_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]] +[[ end ]] diff --git a/roles/vault_agent/templates/nomad/nomad.hcl.j2 b/roles/vault_agent/templates/nomad/nomad.hcl.j2 new file mode 100644 index 0000000..0982b22 --- /dev/null +++ b/roles/vault_agent/templates/nomad/nomad.hcl.j2 @@ -0,0 +1,69 @@ +{% if vault_agent_nomad.vault_token.enabled %} +template { + source = "{{ vault_agent_root_dir }}/templates/nomad/vault.env.tpl" + destination = "/run/nomad/vault.env" + left_delimiter = "[[" + right_delimiter = "]]" + perms = 0640 + exec { + # Wait a few sec before reloading Nomad as it fails if reloaded while not fully initialized yet + command = ["chown", ":{{ nomad_user }}", "/run/nomad/vault.env"] + } +} +{% endif %} + +{% if vault_agent_nomad.nomad_pki.enabled %} +template { + source = "{{ vault_agent_root_dir }}/templates/nomad/agent_bundle.pem.tpl" + destination = "{{ nomad_root_dir }}/tls/agent_bundle.pem" + left_delimiter = "[[" + right_delimiter = "]]" + perms = 0640 + exec { + # Wait a few sec before reloading Nomad as it fails if reloaded while not fully initialized yet + command = ["sh", "-c", "sleep 15 && systemctl reload nomad || true"] + } +} + +{% if nomad_conf.server.enabled %} +template { + source = "{{ vault_agent_root_dir }}/templates/nomad/cli_bundle.pem.tpl" + destination = "{{ nomad_root_dir }}/tls/cli_bundle.pem" + left_delimiter = "[[" + right_delimiter = "]]" + perms = 0640 +{% if vault_agent_nomad.nomad_pki.cli.enabled and vault_agent_nomad.nomad_pki.cli.secret_path is defined %} + exec { + command = "{{ vault_agent_root_dir }}/bin/update_nomad_cert.sh" + } +{% endif %} +} +{% endif %} +{% endif %} + + +{% if vault_agent_nomad.consul_pki.enabled and nomad_conf.consul.ssl %} +template { + source = "{{ vault_agent_root_dir }}/templates/nomad/consul_bundle.pem.tpl" + destination = "{{ nomad_root_dir }}/tls/consul_bundle.pem" + left_delimiter = "[[" + right_delimiter = "]]" + perms = 0640 + exec { + command = ["sh", "-c", "chown :{{ nomad_user }} && sleep 15 && systemctl reload nomad || true"] + } +} +{% endif %} + +{% if vault_agent_nomad.consul_token.enabled %} +template { + source = "{{ vault_agent_root_dir }}/templates/nomad/consul.env.tpl" + destination = "/run/nomad/consul.env" + left_delimiter = "[[" + right_delimiter = "]]" + perms = 0640 + exec { + command = ["chown", ":{{ nomad_user}}", "/run/nomad/consul.env"] + } +} +{% endif %} diff --git a/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 b/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 new file mode 100644 index 0000000..07a3f0d --- /dev/null +++ b/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 @@ -0,0 +1,20 @@ +#!/bin/sh + +set -eo pipefail + +VAULT_ADDR={{ vault_agent_vault_address }} +VAULT_STATUS=$(vault status -format=json) + +if [ "$(echo ${VAULT_STATUS} | jq .is_self)" != "true" ]; then + echo "We're not the active vault, exiting" +elif [ "$(echo ${VAULT_STATUS} | jq .sealed)" != "false" ]; then + echo "Vault is sealed, exiting" +elif [ "$(echo ${VAULT_STATUS} | jq .initialized)" != "true" ]; then + echo "Vault is not initialized yet, exiting" +else + echo Updating Vault certificate to access Nomad API + vault write {{ vault_agent_nomad.nomad_pki.cli.secret_path }}/config/access \ + ca_cert="$(cat {{ nomad_root_dir }}/tls/ca.crt)" \ + client_cert="$(cat {{ nomad_root_dir }}/tls/cli.crt)" \ + client_key="$(cat {{ nomad_root_dir }}/tls/cli.key)" +fi diff --git a/roles/vault_agent/templates/nomad/vault.env.tpl.j2 b/roles/vault_agent/templates/nomad/vault.env.tpl.j2 new file mode 100644 index 0000000..8d8d0b8 --- /dev/null +++ b/roles/vault_agent/templates/nomad/vault.env.tpl.j2 @@ -0,0 +1,3 @@ +[[- with secret "auth/token/create/{{ vault_agent_nomad.vault_token.role }}" "no_parent=true" -]] +VAULT_TOKEN=[[ .Auth.ClientToken ]] +[[- end -]] diff --git a/roles/vault_agent/templates/vault-agent.hcl.j2 b/roles/vault_agent/templates/vault-agent.hcl.j2 new file mode 100644 index 0000000..00aa47b --- /dev/null +++ b/roles/vault_agent/templates/vault-agent.hcl.j2 @@ -0,0 +1,58 @@ +vault { + address = "{{ vault_agent_vault_address }}" +} + +auto_auth { +{% if vault_agent_auth == 'approle' %} + method { + type = "approle" + config { + role_id_file_path = "{{ vault_agent_root_dir }}/auth/role_id" + secret_id_file_path = "{{ vault_agent_root_dir }}/auth/secret_id" + remove_secret_id_file_after_reading = false + } + } +{% elif vault_agent_auth == 'token' %} + method { + type = "token_file" + config { + token_file_path = "{{ vault_agent_root_dir }}/auth/token" + } + } +{% endif %} + + # Not used, but prevent service failing if there's not template yet + sink { + type = "file" + wrap_ttl = "1s" + config = { + path = "/run/vault_agent/vault.token" + mode = 600 + } + } +} + +{% for template in vault_agent_templates %} +template { +{% if template.source is defined %} + source = "{{ template.source }}" +{% elif template.contents is defined %} + contents = "{{ template.contents }}" +{% endif %} + destination = "{{ template.destination }}" +{% for prop in ['left_delimiter', 'right_delimiter', 'perms'] %} +{% if template[prop] is defined %} + {{ prop }} = "{{ template[prop] }}" +{% endif %} +{% endfor %} + +{% if template.exec is defined and template.exec.command is defined %} + exec { +{% if template.exec.timeout is defined %} + timeout = "{{ template.exec.timeout }}" +{% endif %} + command = "template.exec.command" + } +{% endif %} +} +{% endfor %} diff --git a/roles/vault_agent/templates/vault-agent.service.j2 b/roles/vault_agent/templates/vault-agent.service.j2 new file mode 100644 index 0000000..ff41a04 --- /dev/null +++ b/roles/vault_agent/templates/vault-agent.service.j2 @@ -0,0 +1,49 @@ +[Unit] +Description="HashiCorp Vault Agent" +Documentation=https://www.vaultproject.io/docs/ +Requires=network-online.target +After=network-online.target +ConditionFileNotEmpty={{ vault_agent_root_dir }}/etc/vault-agent.hcl +StartLimitIntervalSec=60 +StartLimitBurst=6 +Before=consul.service +Before=nomad.service +{% if vault_agent_nomad.nomad_pki.enabled or vault_agent_nomad.vault_token.enabled or vault_agent_nomad.consul_pki.enabled or vault_agent_nomad.consul_token.enabled %} +PartOf=nomad.service +{% endif %} +{% if vault_agent_consul.consul_pki.enabled %} +PartOf=consul.service +{% endif %} + +[Service] +Type=notify +User=root +Group=root +SyslogIdentifier=vault-agent +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +PrivateDevices=yes +SecureBits=keep-caps +AmbientCapabilities=CAP_IPC_LOCK +CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE +NoNewPrivileges=yes +ExecStart=/usr/local/bin/vault agent -config={{ vault_agent_root_dir }}/etc/ +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGINT +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +LimitNOFILE=65536 +LimitMEMLOCK=infinity + +[Install] +WantedBy=multi-user.target +{% if vault_agent_nomad.nomad_pki.enabled or vault_agent_nomad.vault_token.enabled or vault_agent_nomad.consul_pki.enabled or vault_agent_nomad.consul_token.enabled %} +RequiredBy=nomad.service +{% endif %} +{% if vault_agent_consul.consul_pki.enabled %} +RequiredBy=consul.service +{% endif %} +